Security researchers have flagged a new vector for SMS phishing that relies on unsecured industrial cellular routers from Milesight IoT. In campaigns believed to have been active since 2023, researchers identified thousands of these devices exposed on the public Internet, including a subset that offered unauthenticated interfaces to anyone who scanned for them.
Milesight routers are rugged IoT devices used to connect traffic lights, power meters, and other remote industrial equipment to central hubs. They include SIM cards that operate on 3G/4G/5G networks and can be controlled by text message, Python scripts, and web interfaces, making them attractive targets for abuse.
The security firm Sekoia analyzed suspicious network traces from honeypots and discovered a cellular router being used to send SMS messages containing phishing URLs. Investigators identified more than 18,000 such routers accessible on the Internet, with at least 572 offering free access to programming interfaces. The majority were running firmware versions more than three years out of date, with known vulnerabilities.
Researchers noted that the messages formed part of “smishing” campaigns dating back to October 2023, directed at phone numbers in several countries including Sweden, Belgium, and Italy. Recipients were urged to log into various accounts, often government-related, in order to verify identity, with links leading to fraudulent sites that collected credentials.
Experts describe the abuse as a relatively unsophisticated yet effective delivery vector, because these devices enable decentralized SMS distribution across many countries, complicating detection and takedown efforts. While some details of how routers are compromised remain unclear, researchers suggested that outdated firmware and exposed APIs are contributing factors, though not all affected devices would necessarily be vulnerable to a specific CVE.
Mitigations include updating firmware, securing or disabling unauthenticated APIs, and segmenting networks to prevent direct Internet exposure. Organizations relying on industrial routers should audit devices, monitor unusual SMS or API activity, and restrict external access to management interfaces where feasible to reduce exposure.
